Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.
A remote attacker, without authentication, can achieve partial data exposure, partial data tampering. Federal agencies are required to remediate by 2023-07-13 under CISA BOD 22-01.
This is a Cross-Site Scripting (XSS) (CWE-79) vulnerability in Roundcube Roundcube Webmail. An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. Exploitation requires remote network access, low attack complexity, no authentication required, and user interaction required.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2023-06-22 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2023-07-13.
Manual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply updates per vendor instructions.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References